Re: [pkix] reminder
Paul Hoffman <paul.hoffman@vpnc.org> Sat, 04 August 2012 15:41 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C024F21F87BE for <pkix@ietfa.amsl.com>; Sat, 4 Aug 2012 08:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ve+X6i3TxENd for <pkix@ietfa.amsl.com>; Sat, 4 Aug 2012 08:41:41 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 1640B21F86DC for <pkix@ietf.org>; Sat, 4 Aug 2012 08:41:41 -0700 (PDT)
Received: from [192.168.0.22] (S01060026f3e16488.vc.shawcable.net [24.84.235.32]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q74EoPEc019118 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 4 Aug 2012 07:50:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20120804011634.GA25458@odin.ulthar.us>
Date: Sat, 04 Aug 2012 08:41:34 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5170CB53-0BE5-404B-B60B-B6EAE221D8CC@vpnc.org>
References: <501AB3A3.4020209@bbn.com> <20120804011634.GA25458@odin.ulthar.us>
To: Scott Schmit <i.grok@comcast.net>
X-Mailer: Apple Mail (2.1278)
Cc: pkix@ietf.org
Subject: Re: [pkix] reminder
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Aug 2012 15:41:41 -0000
On Aug 3, 2012, at 6:16 PM, Scott Schmit wrote: > On Thu, Aug 02, 2012 at 01:06:43PM -0400, Stephen Kent wrote: >> Below is the text that was briefed in the PKIX meeting yesterday and >> that represents the current, proposed text for addition to Section >> 3.2. Russ noted that we need to add a reference to the 2008 version of >> X.509 from which we have cited text. Peter will reissue the doc with >> this change. I plan to forward that version to the IESG a week after >> it is posted, unless we hear otherwise. >> >> Steve >> ----- >> >> Add the following paragraph to the end of RFC 5280, Section 3.2: >> >> Consistent with Section 3.4.61 of X.509 (11/2008) we note that use >> of self-issued certificates and self-signed certificates issued by >> other than CAs are outside the scope of this specification. Thus, >> for example, a web server or client might generate a self-signed >> certificate to identify itself. These certificates, and how a >> relying party uses them to authenticate asserted identities, are >> both outside the scope of RFC 5280. > > As I read it, if you aren't a CA and generate a self-signed certificate, > then that certificate isn't a PKIX certificate. Is that statement > right? Partially. Those certificates are outside the scope of PKIX. However... > If so, it sort of screws up draft-ietf-dane-protocol: > > From section 2.2.1: > # 3 -- Certificate usage 3 is used to specify a certificate, or the > # public key of such a certificate, that MUST match the end entity > # certificate given by the server in TLS. This certificate usage is > # sometimes referred to as "domain-issued certificate" because it > # allows for a domain name administrator to issue certificates for a > # domain without involving a third-party CA. The target certificate > # MUST match the TLSA record. The difference between certificate > # usage 1 and certificate usage 3 is that certificate usage 1 > # requires that the certificate pass PKIX validation, but PKIX > # validation is not tested for certificate usage 3. > # > # The certificate usages defined in this document explicitly only apply > # to PKIX-formatted certificates in DER encoding [X.690]. If TLS > # allows other formats later, or if extensions to this RRtype are made > # that accept other formats for certificates, those certificates will > # need their own certificate usage values. > > (TLSA Certificate usage 3 is intended for self-signed "PKIX" > certificates.) No. It is intended for PKIX-formatted certificates, which is exactly what the DANE spec says. > Maybe the problem is that we talk about PKIX-formatted certificates vs. > PKIX-validated certificates, but both are handled in RFC 5280. Can you say why that's a problem? > Can we distinguish the two? Yes, easily. --Paul Hoffman
- [pkix] reminder Stephen Kent
- Re: [pkix] reminder Peter Sylvester
- Re: [pkix] reminder Stephen Kent
- Re: [pkix] reminder Scott Schmit
- Re: [pkix] reminder Paul Hoffman
- Re: [pkix] reminder Scott Schmit
- Re: [pkix] reminder Stephen Kent
- Re: [pkix] reminder Scott Schmit
- Re: [pkix] reminder Stephen Kent